Canada's Bill C-22: A Renewed Threat to Digital Privacy and Encryption

Canada's proposed legislation, Bill C-22, also known as the Lawful Access Act, has reignited concerns over digital rights and surveillance. Following the failure of its predecessor, Bill C-2, this new bill aims to expand government access to user data through mandatory metadata retention, backdoor requirements for encrypted services, and increased information sharing with foreign governments. Below, we address key questions about the bill's provisions, risks, and implications for Canadian and global privacy.

What exactly is Bill C-22, and how does it differ from last year's Bill C-2?

Bill C-22 is essentially a revised version of Bill C-2, which was abandoned after widespread backlash from privacy advocates. While Bill C-2 aimed to erode digital rights under the guise of border security, C-22 makes minor tweaks but retains the core elements that privacy experts found objectionable. The most significant change is a slight clarification in language, but the underlying mechanisms remain: mandatory metadata retention for a year, expanded data sharing with foreign governments (including the U.S.), and a provision allowing the Minister of Public Safety to demand that companies build surveillance backdoors into their services. Critics argue these changes are cosmetic, leaving the same threats to privacy and security intact.

Canada's Bill C-22: A Renewed Threat to Digital Privacy and Encryption — Source: www.eff.org

What kind of metadata does Bill C-22 require companies to retain, and why is this problematic?

The bill forces digital service providers—such as telecoms, messaging apps, and others—to record and store metadata for a full 12 months. Metadata includes details like who you communicate with, when, and from where, though not the content of messages themselves. However, this data can reveal intimate patterns of behavior, such as social connections, daily routines, and locations. By mandating extended retention, C-22 increases the amount of personal information held by companies, creating a larger target for hackers and unauthorized access. Even if the data is encrypted, metadata retention itself poses privacy risks, as it can be used to infer sensitive information without ever decrypting the content.

How does Bill C-22's backdoor provision threaten encryption and user security?

One of the most alarming aspects of C-22 is the power it grants to the Minister of Public Safety to demand that companies create a backdoor—a method for law enforcement to access user data—provided that doing so does not introduce a “systemic vulnerability.” However, security experts and major tech companies assert that any backdoor into an encrypted system inherently creates a systemic vulnerability. The bill also prohibits companies from publicly disclosing such orders. This echoes the UK's demand for Apple to backdoor its Advanced Data Protection feature, which led Apple to remove the feature for UK users entirely. If enacted, Canadian companies would face the impossible choice of weakening security for all users or refusing government orders and facing penalties.

Why are the definitions in Bill C-22 considered dangerously vague?

The bill uses terms like “systemic vulnerabilities” and “encryption” without precise legal definitions, leaving room for the government to interpret them broadly. For example, the government could argue that a targeted backdoor is not systemic if limited to a small number of users, even though it still compromises the overall security architecture. Similarly, the scope of “digital services” is overbroad, potentially covering not just apps but also operating systems. This ambiguity could allow mandates that require companies to circumvent strong encryption, despite government assurances to the contrary. Canadian officials have stated they believe it is possible to add surveillance without introducing systemic vulnerabilities, but cryptography experts unanimously disagree, as any intentional weakness can be exploited by malicious actors.

What real-world example illustrates the dangers of backdoors like those proposed in C-22?

The 2024 Salt Typhoon hack serves as a stark warning. In that incident, attackers exploited a system that Internet service providers had built to comply with law enforcement access requirements. This system, designed to provide lawful interception of user data, became a vector for a massive breach. The hack demonstrated that any infrastructure created for surveillance purposes inevitably attracts sophisticated adversaries, from cybercriminals to state-sponsored hackers. If Bill C-22 forces companies to construct similar backdoors, the risk of such attacks multiplies. The Salt Typhoon incident underscores that the danger of surveillance backdoors is not theoretical—it is a proven vulnerability that has already caused widespread damage.

How have major tech companies and international bodies responded to Bill C-22?

Both Meta and Apple have publicly opposed Bill C-22, citing concerns that it would grant the Canadian government powers akin to those demanded by the UK, which forced Apple to disable Advanced Data Protection for British users. In the United States, the House Judiciary and Foreign Affairs committees sent a joint letter to Canada's Minister of Public Safety, warning that backdoor mandates would undermine cybersecurity and cross-border trust. These responses highlight a growing consensus that such legislation threatens not only Canadian privacy but also global security. The tech industry fears that C-22 could set a precedent for other nations to demand similar vulnerabilities, ultimately eroding the end-to-end encryption that protects billions of users worldwide.

Tags: